Malicious RTF — malware analysis report

Static analysis result for SHA-256 d1c45f4ceafcb19d…

MALICIOUS

RTF

1.62 MB Created: 2018-01-21 04:15:00 First seen: 2021-02-23
MD5: a0026b7e0006aa54d87d561304c83ede SHA-1: f8ddc2ea54ba0efb745859aaa9e3b834ef55faad SHA-256: d1c45f4ceafcb19d139770a70785d9e35ad90a539519bb6a83ea09f315909adc
242 Risk Score

Heuristics 6

  • ClamAV: Doc.Macro.Obfuscation-6391394-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Macro.Obfuscation-6391394-0
  • \objupdate forces OLE activation high RTF_OBJUPDATE
    RTF contains \objupdate — forces automatic OLE object instantiation when the document is opened, bypassing user interaction. Almost exclusively seen in Equation Editor exploit documents.
  • Large hex data blocks in OLE object high RTF_EXCESSIVE_HEX
    RTF contains ~1633KB of hex-encoded data inside \objdata sections — may hide a payload
  • OLE object data medium RTF_OBJDATA
    RTF contains 10 \objdata section(s) — embedded OLE objects
  • Embedded OLE object medium RTF_OBJEMB
    RTF contains \objemb — embedded OLE object
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.microsoft.com/office/word/2003/wordml In RTF body

Extracted artifacts 10

Files carved from inside the sample during analysis.

FilenameKindSourceSize
objdata_00_off00002c2e.bin rtf-objdata-decoded RTF \objdata at offset 0x2C2E 22081 bytes
SHA-256: e3f20873558618e8758b38b3e8b0e84c942baac2314aa71f8ec7a094dff6bc89
Detection
ClamAV: Doc.Macro.Obfuscation-6391394-0
Obfuscation or payload: unlikely
objdata_01_off00013271.bin rtf-objdata-decoded RTF \objdata at offset 0x13271 22081 bytes
SHA-256: 53c77e818a17858d31b80f78284fef57eb917f375601ed97810de91f10d49145
Detection
ClamAV: Doc.Macro.Obfuscation-6391394-0
Obfuscation or payload: unlikely
objdata_02_off000238b4.bin rtf-objdata-decoded RTF \objdata at offset 0x238B4 22081 bytes
SHA-256: 1da6865d9f14941af0f2b17db2791aa64382cb6a6bd67d42987945fc3fe549e0
Detection
ClamAV: Doc.Macro.Obfuscation-6391394-0
Obfuscation or payload: unlikely
objdata_03_off00033ef7.bin rtf-objdata-decoded RTF \objdata at offset 0x33EF7 22081 bytes
SHA-256: 9924b82cd4ca66bf764fd149bf485861fd5df9afc7abdff73760c00209d686f9
Detection
ClamAV: Doc.Macro.Obfuscation-6391394-0
Obfuscation or payload: unlikely
objdata_04_off0004453a.bin rtf-objdata-decoded RTF \objdata at offset 0x4453A 22081 bytes
SHA-256: bcb170456033e7e5c35d23e912dccf659d17a0ac38043f4ed7881f5e42e8b756
Detection
ClamAV: Doc.Macro.Obfuscation-6391394-0
Obfuscation or payload: unlikely
objdata_05_off00054b7d.bin rtf-objdata-decoded RTF \objdata at offset 0x54B7D 22081 bytes
SHA-256: 83d37b5dc48db07e95348f6b935de30620a7e1fb705c6f4593cb8c9b2ec6b4ea
Detection
ClamAV: Doc.Macro.Obfuscation-6391394-0
Obfuscation or payload: unlikely
objdata_06_off000651c0.bin rtf-objdata-decoded RTF \objdata at offset 0x651C0 22081 bytes
SHA-256: 0b73ae257e31ed6769c053a1ca405d06511e79582f13620bf5bb9a352bf2ea53
Detection
ClamAV: Doc.Macro.Obfuscation-6391394-0
Obfuscation or payload: unlikely
objdata_07_off00075803.bin rtf-objdata-decoded RTF \objdata at offset 0x75803 22081 bytes
SHA-256: eec52924694ea6b99391e41c56637b246cc406a14082f69f03fa71df26b15d13
Detection
ClamAV: Doc.Macro.Obfuscation-6391394-0
Obfuscation or payload: unlikely
objdata_08_off00085e46.bin rtf-objdata-decoded RTF \objdata at offset 0x85E46 22081 bytes
SHA-256: b2fd547ae7d1a1f71cce26a703bf87cbb5bb9f51ddb2b3bd233fb62de1eda132
Detection
ClamAV: Doc.Macro.Obfuscation-6391394-0
Obfuscation or payload: unlikely
objdata_09_off00096489.bin rtf-objdata-decoded RTF \objdata at offset 0x96489 22081 bytes
SHA-256: e818c63890fe3c4522132c6023bd8889db7bd990d1fb22ef77eeb51e0efcc4ee
Detection
ClamAV: Doc.Macro.Obfuscation-6391394-0
Obfuscation or payload: unlikely

Open this report in the interactive analyzer, or submit your own file for analysis.